Biometric metadata bureau

ABSTRACT

Biometric markers are seen as a secure and convenient way to control an individual&#39;s access to systems. The data that comprise these access controls, however, can be spoofed by nefarious third parties. Therefore, systems and methods are provided that track metadata related to the usage of biometric markers as access control devices to improve the security of systems using biometric markers for access control and to improve the speed and efficiency for systems when re-granting access for an individual in the event that access was revoked or suspended. A bureau collects metadata related to the authentication of individuals via biometric markers and the activities of the individual and the systems accessed. These metadata are used by the bureau to alert affected parties of potential misuse of biometric data and to reduce the processing requirements, storage requirements, and number of communications to on-board or re-authenticate an individual.

BACKGROUND

Biometric markers are increasingly being used in various industries as asecure and convenient way to authenticate individuals. Biologicalmarkers, such as, for example, fingerprints, blood vessel geometries,facial features, iris patterns, retinal patterns, and voice prints, areread by biometric scanners for controlling access to services orlocations. These biological markers are seen as more secure andconvenient than passwords or Personal Identification Numbers (PIN) forremote authentication of individuals or keys, keycards, oridentification cards for local access or identification.

Biometric data are seen as more secure than other methods ofauthentication because the initial onboarding of data is currentlyaccomplished with a device known to the authenticator, after theindividual has already proven their identity by a secondary means. Oncea biometric is stored and trusted, it may be used repeatedly on thedevice without the individual needing to remember passwords, patterns,or multi-factor authentication systems. Additionally, biometric markersare less prone to exposure via social engineering than other accesscontrol means. However, as biometric data are beginning to be used forremote logins, and as data breaches begin to spread knowledge ofindividuals' biometric markers, the security and convenience ofbiometric data as an authentication factor is under threat.

BRIEF SUMMARY

The present disclosure provides systems and methods for increasingconfidence in biometric data on-boarded by devices outside of a user'scontrol for authenticating an individual within the user's domain. Thepresent disclosure's systems and methods further provide increasedsecurity for the individual authenticated by biometric data acrossdifferent domains by tracking how those data are used, and periodicallyreporting the context of biometric data use. As a result, the presentdisclosure improves the speed, efficiency, and security ofauthenticators using biometric markers for access control.

As used herein, the term “individual” refers to a person or animal whowill be authenticated via a biometric marker or biometric data, an“authenticator” refers to an entity or system that grants or deniesaccess to the individual based on received biometric data, and the term“bureau” refers to a system that operates between parties in the chainof communications that tracks the use and context of use of thebiometric markers to administer metadata related to the biometric data.In various aspects, the metadata include, but are not limited to, thesteps taken to verify the individuals during onboarding, the identity ofpersons or entities who have on-boarded the individuals or theirbiometric markers, the equipment and capabilities thereof of the devicesused when onboarding the individuals, the type of biometric markersauthenticated, the frequency of use of the biometric markers, thedomains in which the biometric markers are used, the locations in whichthe biometric markers are used, and where the biometric data are stored.

By using the metadata in conjunction with the presented biologicalmarkers, the authenticators who have not on-boarded a given individualmay decide whether to trust the biometric marker or biometric datapresented by the individual that is alleged to have been properlyon-boarded by another authenticator. An authenticator or an individualmay also track the reliability and security of biometric data for agiven biometric marker from a given source by knowing its use historyfrom metadata administered by the bureau.

The systems and methods provided in the present disclosure overcomeproblems related to electronic systems by reducing the needs forrepeated on-boardings via controlled hardware, storing sensitiveinformation in multiple locations (thus reducing the memory requirementsof the electronic systems), and improving the security of biometricmarkers in remote settings.

Aspects of systems and methods described herein may be practiced inhardware implementations, software implementations, and in combinedhardware/software implementation. This summary is provided to introducea selection of concepts; it is not intended to identify all features orlimit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this disclosure, illustrate various aspects and examples of thepresent invention. In the drawings:

FIG. 1A is a block diagram illustrating an example system using a bureauto improve the reliability and security of systems that use biometricmarkers locally;

FIG. 1B is a block diagram illustrating an example system using a bureauto improve the reliability and security of a system that uses biometricmarkers remotely;

FIG. 2 is a diagram of example biometric markers;

FIG. 3 is a block diagram illustrating example components of a bureau;

FIG. 4 is a flow chart showing general stages involved in an examplemethod for improving the security of systems that use biometric markersfor access control;

FIG. 5 is a flow chart showing general stages involved in an examplemethod for improving the efficiency and speed of on-boarding for systemsthat use a biometric marker for access control; and

FIG. 6 is a block diagram illustrating physical components of an examplecomputing device with which aspects may be practiced.

DETAILED DESCRIPTION

The following detailed description refers to the accompanying drawings.Wherever possible, the same reference numbers are used in the drawingsand the following description to refer to the same or similar elements.While aspects of the present disclosure may be described, modifications,adaptations, and other implementations are possible. For example,substitutions, additions, or modifications may be made to the elementsillustrated in the drawings, and the methods described herein may bemodified by substituting, reordering, or adding stages to the disclosedmethods. Accordingly, the following detailed description does not limitthe present disclosure, but instead, the proper scope of the presentdisclosure is defined by the appended claims. Examples may take the formof a hardware implementation, or an entirely software implementation, oran implementation combining software and hardware aspects. The followingdetailed description is, therefore, not to be taken in a limiting sense.

The present disclosure provides systems and methods for increasingconfidence in biometric data on-boarded by devices outside of a user'scontrol for authenticating an individual within the user's domain. Thepresent disclosure's systems and methods further provide increasedsecurity for the individual authenticated by biometric data acrossdifferent domains by tracking how those data are used and periodicallyreporting the context of biometric data use. As a result, the presentdisclosure improves the speed, efficiency, and security ofauthenticators using biometric markers for access control.

As used herein, the term “individual” refers to a person or animal whowill be authenticated via a biometric marker or biometric data, an“authenticator” refers to a person or entity that grants or deniesaccess to the individual based on received biometric data, and the term“bureau” refers to a system that operates between parties in the chainof communications to track the use and context of use of the biometricmarkers to administer metadata related to the biometric data. In variousaspects, the metadata include, but are not limited to, the steps takento verify the individuals during onboarding, the identity ofauthenticator(s) who have on-boarded the individuals or their biometricmarkers, the equipment and capabilities thereof of the devices used whenonboarding the individuals, the type of biometric markers authenticated,the frequency of use of the biometric markers, the domains in which thebiometric markers are used, the locations in which the biometric markersare used, and where the biometric data are stored.

By using the metadata in conjunction with the presented biologicalmarkers, the authenticators who have not on-boarded a given individualmay decide whether to trust the biometric marker or biometric datapresented by the individual that is alleged to have been properlyon-boarded by another authenticator. An authenticator or an individualmay also track the reliability and security of biometric data for agiven biometric marker from a given source by knowing its use history(e.g., frequency of use in different systems, whether a system has had adata breach concerning the marker) from metadata administered by thebureau.

The systems and methods provided in the present disclosure overcomeproblems related to electronic systems by reducing the needs forrepeated on-boardings via controlled hardware, storing sensitiveinformation in multiple locations (thus reducing the memory requirementsof the electronic systems), and improving the security of biometricmarkers in remote settings.

FIG. 1A is a block diagram illustrating an example system 100 using abureau 110 to improve the reliability and security of systems that usebiometric markers locally. As illustrated, a first authenticator 130 a(generally, authenticator 130) and a second authenticator 130 b are incommunication with the bureau 110 and with a given individual 120 whosebiometric markers are used for authentication. As will be appreciated,although two authenticators 130 are illustrated in FIG. 1A, a givenindividual 120 may use more or fewer authenticators 130 in conjunctionwith the bureau 110, and the bureau 110 is operable to serve multipleindividuals 120. As will also be appreciated, the system that theindividual logs into may be remote to the individual 120, which isdiscussed in greater detail in regard to FIG. 1B, and the terms “local”and “remote” are relative terms of location based on the individual 120(and biometric scanner 140) compared to the system using biometricmarkers as part of an access control scheme.

Each locally implemented authenticator 130 includes a biometric scanner140 and a local system 150 to which the individual 120 is granted ordenied access based on the provided biometric marker. For example, afirst authenticator 130 a may be a smartphone, which uses its camera asits biometric scanner 140 a to grant the individual 120 access to thelocal system 150 a of the smartphone. In another example, a secondauthenticator 130 b may be a laptop computer, which uses a thumbprintreader as its biometric scanner 140 b to grant the individual 120 accessto the local system 150 b of the laptop's operating system. If theindividual 120 provides the correct biometric marker to the biometricscanner 140, the individual 120 will be authenticated by theauthenticator 130, and granted appropriate access to the local system150. However, if the individual 120 does not provide the correctbiometric marker to the biometric scanner 140, the individual 120 isdenied access to the local system 150.

In various aspects, more than one biometric scanner 140 and more thanone local system 150 may be part of device used as an authenticator 130.For example, a computer may have a camera, a microphone, and athumbprint scanner, that can be used as biometric scanners 140. A givendevice may also have multiple local systems 150 to which it grantsaccess via a single biometric marker or via separate biometric markers.For example, a computer may provide access to a local system 150 of anoperating system via a first biometric marker and automatically provideaccess to a first program (a second local system 150) via the firstbiometric marker, but a second program (a third local system 150) mayrequire a second biometric marker for access. Similarly, remote systems155, which are discussed in regard to FIG. 1B, may also reuse biometricmarkers between systems or have different requirements for a biometricmarker and therefore require a different biometric marker for access.

To determine whether a biometric marker is “correct” and whether toauthenticate an individual 120 to provide access to a system, theindividual 120 must first be on-boarded by the authenticator 130. Aswill be appreciated, on-boarding is a registration process that links anindividual's access rights to a biometric dataset 160. An individual 120may be on-boarded when an account for the individual 120 is firstcreated, or when a new biometric dataset 160 replaces an existingbiometric dataset 160. For example, when an individual 120 firstpurchases a smartphone, the individual 120 may be prompted to set up anaccess-restriction scheme (e.g., a password, a personal identificationnumber (PIN), a secret pattern, a biometric marker). If the individual120 selects a biometric marker to be used as part of an accessrestriction scheme, the individual 120 will have the selected biometricmarker read by the biometric scanner 140 and converted into a biometricdataset 160. The biometric dataset 160 is stored by the authenticator130 so that when the individual 120 has the biometric marker scannedsubsequently, the results can be compared to the stored biometricdataset 160 to determine whether the scanned biometric marker matchesthe biometric dataset 160 and the individual 120 should therefore begranted access. Accurately matching a marker with an individual 120 isimportant, so that one individual 120 cannot gain access to another'saccounts and profiles and the individual 120 can reliably gain access tothe correct accounts and profiles. Therefore, the biometric scanner 140may include various subsystems and processes to ensure that a presentedbiometric marker yields a biometric dataset 160 of sufficient detail andclarity to accurately match with a unique individual 120. It istherefore assumed in the present disclosure, that unless stateotherwise, the biometric dataset 160 accurately maps to one individual120; otherwise the systems will reject the scanned biometric marker andrequest a rescan or alternative/additional authentication (e.g., adifferent biometric marker, username/password pair, PIN).

When on-boarding for a personal system, such as a smartphone, nosupplemental authentication is needed, because individuals 120 know whothey are; they are able to self-authenticate before on-boarding. Whenon-boarding for a shared system, such as a building's security system,however, additional authentication of the individual's identity may berequired. For example, the individual 120 may present photoidentification to a system administrator before the system administratorwill allow the individual's biometric marker to be on-boarded as thebiometric dataset 160. What is on-boarded as the biometric dataset 160will vary based on the biometric marker(s) used, and the capabilities ofthe biometric scanner 140 used to onboard the biometric dataset. Forexample, the biometric dataset 160 may store an entire scan of thebiometric marker, or may be a compressed reading of the biometricmarker, such as a graph or a code based on the biometric marker, and thealgorithms used to analyze and compress the scans (and the startingresolutions of the scans) may vary between authenticators 130.

How the authenticator 130 authenticates the individual 120 isrepresented by an authentication dataset 170. An authentication dataset170 includes the metadata for the initial access conditions on how thebiometric dataset 160 is generated and how a biometric marker is checkedagainst the biometric dataset 160 for a given authenticator 130. Forexample, the authentication dataset 170 may specify the resolution of acamera, the gain of a microphone, the bits-per-second of a soundrecording, the sensitivity of a touch panel, etc., used as a biometricscanner 140, a number of data points used in a biometric dataset 160,the file format in which the biometric dataset 160 is stored, whichbiometric markers are checked by an authenticator 130, what information(e.g., driver's license, passport, personal recognition, nothing) waschecked by a third party to authenticate the individual 120, thepermissiveness of authentication procedures (i.e., how different apresented biometric marker can be from the on-boarded biometric dataset160 to still be correct), etc. The authentication dataset 170 isspecific to each authenticator 130, such that a first authenticationdataset 170 a is associated with a first authenticator 130 a and asecond authentication dataset 170 b is associated with a secondauthenticator 130 b.

The bureau 110 is in communication with the authenticators 130, and isoperable to receive the authentication dataset 170 from eachauthenticator 130 to build a meta dataset 180. The meta dataset 180includes information on the access conditions for the use of thebiometric marker, for example, about the frequency of use of a givenauthenticator 130, the frequency of use of a given biometric marker, thefrequency of use of a given biometric dataset 160, where theauthentications took place (e.g., a geographic location or business),who requested the authentication (e.g., personal use, access to a thirdparty system, identity verification), how the biometric marker and theindividual 120 were on-boarded, the domain or system that authenticationgranted access to, whether the authentication was successful, how manyattempts were made for successful authentication, and security of theauthentication (e.g., encryption used to store the biometric dataset160, who stores the biometric dataset 160, encryption used to transmitthe biometric dataset 160, to whom the biometric dataset 160 has beentransmitted).

With the collected meta dataset 180, the bureau 110 is operable tocommunicate with the authenticators 130 to improve the security andreliability of the biometric datasets 160 used by the authenticators130. To illustrate this improvement, consider an example in which afirst authenticator 130 a is a personal smartphone and a secondauthenticator 130 b is a business smartphone used by the same individual120. In this example, when the meta dataset 180 indicates to the bureau110 that business smartphone requires an encrypted storage for itsbiometric dataset 160 b, but that the first biometric dataset 160 a isstored by the first authenticator 130 a in an unencrypted format (orwith encryption that fails to meet the encryption requirements for thesecond authenticator 130 b), the second authenticator 130 b will bealerted to require the individual 120 to use a different biometricmarker from that used for the first authenticator 130 a to generate thesecond biometric dataset 160 b. By requiring a different biometricmarker for authentication, the second authenticator 130 b can ensure thesecurity of the domain to which it grants access is not compromised bythe lax security of other authenticators 130. As will be appreciated, abureau 110 provides other improvements to the security and functionalityof systems using biometric markers as an access restriction tool.

FIG. 1B is a block diagram illustrating an example system 105 using abureau 110 to improve the reliability and security of a system that usesbiometric markers remotely. As illustrated, an authenticator 130 isbroken into two components; a portion local to the individual 120 (thelocal portion 135 a), which includes a biometric scanner 140, and aportion remote to the individual 120 (the remote portion 135 b), whichincludes the remote system 155 that the individual 120 seeks to access.Each of these portions are in communication with the other via anetwork, such as the Internet or an intranet, and the bureau 110 isdisposed of between the portions so that communications between theportions are monitored to further build the meta dataset 180. Althoughonly one local portion 135 a is illustrated, it should be understoodthat a remote system 155 may be accessed by several different devicesacting as local portions 135 a in different configurations of anauthenticator 130. For example, a given individual 120 may access aremote system 155 of an email server via a smartphone or a desktopcomputer, wherein both of these example devices act as the local portion135 a to the remote portion 135 b that includes the example emailserver. The local system 150 of a local portion 135 a in these examplesmay include master systems (e.g., an operating system) and subsystems(e.g., email clients, online banking applications, health record lookupsystems, tax preparation software) that are used to access andcommunicate with the remote system 155.

The bureau 110 is located in the path of communications between remotesystems 155 and local systems 150, and is operable to communicate witheach individually and monitor communications over the network betweensystems. In various aspects, monitoring the use of biometric markersentails monitoring the location of a biometric scanner 140 when abiometric marker is presented (e.g., an Internet Protocol (IP) address,a business name and address, cell-tower derived coordinates, globalpositioning system (GPS) coordinates, a network providing access to theInternet), a time when the biometric marker is presented, a frequency ofpresentation (or of rejection), a device from which the biometricdataset 160 is sent, an individual 120 associated with the biometricdataset 160, and the frequency and duration of communications betweenthe local portion 135 a and the remote portion 135 b. In furtheraspects, the bureau 110 may inspect the biometric dataset 160 and thecommunications between the local portion 135 a and the remote portion135 b to determine the types of actions taken by the individual 120regarding the remote system 155, which biometric dataset 160 is beingused, whether additional authentication is used, and when access isterminated (e.g., a timeout event, a logout request, a transactionalsecurity violation). The usage data are collected and made part of themeta dataset 180 so that patterns and data regarding the use of thebiometric marker (e.g., the access conditions) are available to thebureau 110. In various aspects, information comprising the meta dataset180 is extracted from the header information of communications, whichindicate message source, message destination, time of transmission, etc.

In various aspects, a local portion 135 a may be part of multipleauthenticators 130, both local and remote. For example, an individual120 may use a smartphone's camera or touch screen to log in to thephone, making the smartphone a local authenticator 130 for the localsystem 150 of the smartphone, and the individual 120 may use thesmartphone's camera or touch screen to log in remotely to an emailservice, making the smartphone a local portion 135 a and the emailserver the remote portion 135 b of a remote authenticator 130.

Because the local system 150 knows the hardware capabilities of thebiometric scanner 140 available to it, while a myriad of biometricscanners 140 with different capabilities may attempt to authenticate anindividual 120 with a remote system 155, the remote system 155 mayspecify what biometric datasets 160 are allowable to authenticate anindividual 120 via authentication requirements 175. In various aspects,the authentication requirements 175 set which biometric datasets 160 areinsufficiently complex (or too complex) to authenticate an individual120 and the on-boarding procedures needed to confirm the identity of anindividual 120 before access will be granted for the remote system 155.For example, a remote system 155 may set authentication requirements 175that a biometric scanner 140 must scan a certain biometric marker andhave a certain level of detail in that biometric marker and that atrusted party confirms that the individual 120 is who they claim to be(e.g., the trusted party on-boarded the individual 120).

Additionally, the authentication requirements 175 may specify how anindividual 120 accesses a master system to the subsystem that grantsaccess to the remote system 150. For example, a Virtual Private Network(VPN) client is a subsystem to a master system of an operating system,and the authentication requirements 175 for the remote system 155 thatthe VPN client connects to may specify security requirements for the VPNclient and for the operating system. The bureau 110 is operable tocommunicate the authentication dataset 170 from the meta dataset 180 forthe local systems 150 and other remote systems 155 to a given remoteportion 135 b so that it may restrict access to its systems inaccordance with its authentication requirements 175. The bureau 110 isfurther operable to compare the authentication dataset 170 of a localportion 135 a to the authentication requirements 175 of a remote portionand to recommend alternative devices available to the individual 120 orchanges in authentication procedures with the same device for theindividual 120 so that the individual 120 can meet the authenticationrequirements 175 with a given device. For example, when theauthentication requirements 175 specify that the local system 150 actingas a master system must be accessed by an access control scheme (i.e.,the individual 120 cannot leave the device unlocked; a password, PIN,pattern, or biometric marker must be used) before a subsystem grantingaccessing to the remote system 155, the bureau 110 will recommend to theindividual 120 an appropriate access control to use for the mastersystem and for the subsystem.

Because the remote system 155 is not part of the same device as thebiometric scanner 140, the bureau 110 is operable to track and managethe various authentication requirements 175 of remote systems 155. Toensure that the biometric scanner 140 collects a biometric dataset 160that meets with the needs of the remote system 155, the remote system155 sets authentication requirements 175, which are shared with thelocal portion 135 a that specify what sort of biometric dataset 160 isrequired for an individual 120 to be authenticated by the remote system155. In various aspects, the capabilities of the biometric scanner 140(e.g., the Samples per Inch (SPI) of a scanner, the megapixels and colorencoding of a digital camera, the sensitivity of a microphone) may bedetermined to meet or fail the authentication requirements 175. Theauthentication requirements 175 may also specify how the individual 120is to be on-boarded, including trusted parties that may on-board anindividual 120 and procedures to verify the identity of the individual120.

Authentication requirements 175 for access to the remote system 155 areset by the remote portion 135 b which describes what authenticationdatasets 170 are acceptable by the remote system 155. For example, theremote system 155 may require the use of a given biometric marker, orrequire that a given on-boarding process be used, and the biometricscanner 140 may be capable or incapable of meeting the authenticationrequirements 175. The bureau 110 provides additional data to the remoteportions 135 b related to knowledge of previously lost/stolen biometricdatasets 160 and preferences for the individuals 120 attempting to usethe remote system 155 to further improve security and reliability of theauthentication requirements 175.

Remote systems 155 and local systems 150 may have differentauthentication requirements 175 for a biometric marker to be used foraccess control. When multiple systems share compatible authenticationrequirements 175, the bureau 110 may automatically log the individual into multiple remote systems 155. For example, when a smartphone uses afirst biometric marker to log in to the operating system of thesmartphone, and an application running on the smartphone also uses thefirst biometric marker to log in to a remote system 155, the bureau 110may receive the biometric dataset 160 when the individual 120 logs in tothe smartphone, and transmit the biometric dataset 160 to the remotesystem 155 to log the individual 120 in there as well. Alternatively, ifthe remote system 155 requires a second biometric marker, the bureau 110may decline to automatically log the individual in to the remote system155, and the individual 120 will still need to present the secondbiometric marker for access to be granted to the remote system 155.

One potential vulnerability inherent to remote systems 155 is theability for an identity thief 125 to gain access to the biometricdataset 160 and impersonate the individual 120 at the remote system 155.As will be known to those of ordinary skill in the art, to reduce therisk of theft of data (or the usefulness of stolen data) the biometricdatasets 160 may be stored in an asymmetric encrypted state, forexample, in a hashed or salted state, so that the biometric dataset 160appears differently when stored on the local portion 135 a than whenstored on the remote portion 135 b. These methods are not foolproofhowever, especially when the identity thief 125 has previously gainedaccess (physical or digital) to devices comprising the local portion 135a (e.g., a biometric scanner 140, a cellphone, computer, etc.). Once anidentity thief 125 has gained access to a local portion 135 a thatcurrently has been granted access to the remote portion 135 b (e.g., bystealing a computer, smartphone, or other device while the individual120 has logged in) or has the biometric dataset 160 that will be sentfrom the local portion 135 a (e.g., via a man-in-the-middle attack) andcan spoof a successful presentation of a biometric marker, the only waysto prevent the identity thief 125 from performing actions as theindividual 120 are to directly contact the remote system 155 to log outthe individual 120 (e.g., via a phone call or a theft alert systemrequesting logout) or for the transaction safety systems of the remotesystem 155 to activate (e.g., number of emails per second limits,spending limits, asset transfer limits). One of ordinary skill in theart will be familiar with various direct contact and transaction safetysystems.

By being disposed of between the local portion 135 a and the remoteportion 135 b of an authenticator 130, the bureau 110 is operable todetect use deviations of the biometric dataset 160 with greaterreliability and finesse than current transaction safety systems. Becausethe meta dataset 180 for a given individual 120 from multiple localportions 135 a, remote portions 135 b, and authenticators 130 that areentirely local by observing communications between systems and obtainingauthentication datasets 170, a meta dataset 180 that encompasses all ofthe use information/access conditions for an individual 120 is created.By using the meta dataset 180 for an individual 120, the bureau 110 isoperable to determine the use patterns for an individual 120 and todetermine when a use of the remote system 155 deviates from those usepatterns. For example, when a login request is sent from a device withan unknown device identifier (e.g., Media Access Control (MAC) address,serial number, etc.), such as for example, a new device associated withthe individual 120 or a device associated with an identity thief 125,the bureau 110 will note that a use deviation has occurred. Similarly,location of login, time of login, other devices simultaneously loggedin, number of tries to log in, activities taken while logged in (e.g.,purchase size, frequency of messages sent, shipping address information,etc.), and combinations thereof can be used by the bureau 110 todetermine when the actions taken by a person attempting to log in, ortake actions while logged in, deviate from the use history as indicatedby the meta dataset 180.

When a use deviation is detected, the bureau 110 is operable tocommunicate with affected authenticators 130 to prevent or mitigateunauthorized access or use. In various aspects, the affectedauthenticators 130 are those systems, remote or local, that use a commonbiometric marker, biometric dataset 160, or can be accessed through ashared master system. For example, when a use deviation is detected fora system that uses a first biometric marker for access control, allother systems known to the bureau 110 to use that first biometric markermay be contacted so that they will not grant access via the firstbiometric marker until the use deviation is resolved or an alternateauthentication is supplied. Similarly, once a use deviation is learnedof, such as, for example, a data breach in which an identity thief 125gained access to several biometric datasets 160, an individual 120 andremote systems 155 may be alerted to the use deviation so that thebiometric marker from which the stolen biometric dataset 160 wasgenerated will not be used in the future for a given individual 120.

FIG. 2 is a diagram of example biometric markers. Biometric markers arefeatures of an individual's physiology that are capable of being used toidentify that individual from amongst the population. Popularly usedbiometric markers are easily accessible physical features with patternsthat are distinct to the individual. As will be appreciated, a devicethat reads the biometric markers interprets these patterns and storesthem as the biometric dataset 160, which is used to authenticate theindividual to various systems. As will also be appreciated, thealgorithms used to compare a given biometric marker to a biometricdataset 160 stored by an authenticator 130 may look at various featuresof a given biometric marker and account for natural variation in thebiometric feature itself or in how it was scanned by a biometric scanner140, which may depend on the presented biometric feature, examples ofwhich are detailed below.

Fingerprints 210 a-e (generally, fingerprints 210) are an example ofpopularly used biometric markers that are based on the patterns ofridges found on the digits of individuals 120. In various aspects, abiometric scanner 140 that measures fingerprints 210 may be an opticalscanner, comprising an array of photosensitive diodes (e.g., a digitalcamera) used to create an image of the fingerprint 210, or a capacitivescanner, comprising an array of conductive plates coupled via invertingoperational amplifiers to detect changes in capacitance to a surface incontact with the ridges of a fingerprint 210 (or, inversely, not incontact with the valleys) to form a capacitance map of the fingerprint210 being scanned. Fingerprint 210 scanning may need to account fordirt, sweat, injury, swelling, and positioning relative to the biometricscanner 140, among other factors.

A blood vessel geometry 220 is another example of a popularly usedbiometric marker, which is based on the patterns of blood vessels (e.g.,veins, arteries, capillaries) as measured by an array of photosensitivediodes (e.g., a digital camera). The blood vessel geometry may be takenin several locations from the body of the individual 120, but patternsfrom the ventral sides of the wrists and from the retinas are mostpopularly used. Blood vessel geometry 220 scanning may need to accountfor changes in pigmentation (e.g., tanning), changes in hair cover,bruising and injury, dirt, sweat, tears, corrective or cosmetic lenses,growth, and positioning relative to the biometric scanner 140, amongother factors.

An iris pattern 230 is a third example of a popularly used biometricmarker, which is based on the patterns found in the irises surroundingthe pupils in the eyes. In various aspects, iris patterns 230 may bescanned via color or grayscale imaging. Iris pattern 230 scanning mayneed to account for dilation of the pupil, corrective or cosmeticlenses, injury, motion of the eye, and positioning relative to thebiometric scanner 140, among other factors.

To provide additional contrast to visually collected biometric datasets160, such as, for example, those that include fingerprints 210, bloodvessel geometry 220, or iris patterns 230, the biometric scanners 140may provide additional light sources, such as, for example, a flash on acamera. Additionally, the biometric scanners 140 may use various rangesof frequencies of light (e.g., infrared, visible, ultraviolet) when avisual scan of the biometric marker is made. Visually collectedbiometric datasets 160 may be stored as image files of the biometricmarker (e.g., bitmaps, Graphics Interchange Format (GIF) files, JointPhotographic Experts Group (JPEG) files, Portable Network Graphics (PNG)files), a pattern classification file (e.g., an Integrated AutomatedFingerprint Identification System (IAFIS) features record), or abiometric data interchange format standard (e.g., files conforming tothe International Committee for Information Technology Standards(INCITS), American National Standards Institute (ANSI), or InternationalStandards Organization/International Electrotechnical Commission JointTechnical Committee (ISO/IEC JTC) 1/SC 37 formats). The format requiredmay be specified in an authentication dataset 170 or the authenticationrequirements 175 of a remote portion 135 b.

Vocal patterns 240 are yet another popularly used biometric marker,which are based on the frequencies and rhythms used by an individual 120when speaking. In various aspects, the scanning of vocal patterns 240may specify a code-word or phrase for the individual 120 to use whenvocal patterns 240 are scanned so that vocal patterns 240 for specificwords may be compared. In other aspects, the individual 120 may submit alarge sampling of vocal patterns 240 during on-boarding so that generalspeech traits may be deduced, and thus removing the need for aparticular code-word or phrase for authentication. The biometric dataset160 for vocal patterns 240 may be stored as a sound file (e.g., a wavefile, an MP3 file, a Free Lossless Audio Codec (FLAC) file), or as animage or video file via a spectrogram of the scanned vocal patterns 240or Fourier transforms thereof. The scanning of vocal patterns 240 mayneed to account for illnesses (e.g., head colds, laryngitis), naturalvariations in speech, and background noise, among other factors.Different frequency ranges may be scanned (or filtered out) when usingvocal patterns 240 to reduce the chance of background noise impactingthe authentication of the individual 120.

One of ordinary skill in the art will appreciate that otherphysiological features than those discussed in relation to FIG. 2 may beused as biometric markers and that other example biometric scanners 140are possible. For example, less easily accessible physical features mayalso be used as biometric markers, albeit with less convenience to theindividual 120 or the authenticator 130. For example, while afingerprint 210 is a popularly used biometric marker, footprints andtoeprints are less popularly used due to a variety of factors thatdecrease ease of access to those features (e.g., amount of clothing wornover the feature, amount of dirt on the feature, flexibility anddexterity differences) and a comparative difference in size. Otherbiometric scanners 140 may measure typing patterns, handwriting, andshapes/patterns of body parts via pressure sensors, and via algorithmsthat measure rhythms of inputs. The examples given in relation to FIG. 2are therefore to be taken as non-limiting illustrations of potentialbiometric markers, and therefore do not limit the scope of the presentdisclosure.

FIG. 3 is a block diagram illustrating example components of a bureau110. As illustrated, a bureau analyzer 310 is in communication with abureau database 320, a bureau receiver 330, and a bureau transmitter340. In various aspects, each of these components may be implemented bya single computer device, such as that illustrated in FIG. 6, or viamultiple computer devices in a distributed system.

Communications from and between portions of authenticators 130 aremonitored by the bureau receiver 330, which are organized by the bureauanalyzer 310 to build the meta dataset 180. The meta dataset 180comprises access conditions related to historic usage information ofeach individual 120 and their associated biometric datasets 160, whichare stored in the bureau database 320. The bureau analyzer 310 comparescurrent usage information to the historic usage information according tovarious rules to determine when a potential use deviation has occurred,and will communicate with authenticators 130 via the bureau transmitter340 when a potential use deviation is detected. Additionally, the bureautransmitter 340 is operable to transmit, on request, usage reportsregarding how biometric datasets 160 are being used.

The bureau receiver 330 and bureau transmitter 340 are hardware devicesfor communication over a network. In various aspects, the bureaureceiver 330 and the bureau transmitter 340 may be different aspects ofa single transceiving device or separate communication devices dedicatedto receiving and transmitting respectively. As will also be appreciated,more than one bureau receiver 330 or bureau transmitter 340 may be partof a bureau 110, and an array of communication devices may be employed.Because authenticators 130, or the portions thereof, may be communicatedwith the bureau 110 over the Public Switched Telephone Network (PSTN),which includes cellular telephone networks, microwave transmissionlinks, fiber optic cables, and telephone cables, the communicationdevices that comprise the bureau receiver 330 and bureau transmitter 340may be adapted for communication over various transmission media. Forexample, the communication devices may include lasers, photodiodes,network interface cards, and antennas that are adapted for communicationvia fiber optic signals, electrical signals, and radio signals at theappropriate frequencies or wavelengths and formatted to the relevantstandards. One of ordinary skill in the art will be familiar with therelevant spectra and standards for communication via the varioustransmission media, and will adapt the hardware and firmware of thebureau receiver 330 and the bureau transmitter 340 accordingly.

The bureau database 320 is a memory device comprising computer readablestorage media to store the meta datasets 180 related to the use ofbiometric markers. As will be understood by one of ordinary skill in theart, computer readable storage media are hardware devices used to storeinformation and instructions in a computer readable format, and aredistinct from transmission media and signals. Although illustrated asone component, the bureau database 320 may be implemented as an array ofmemory devices, for example, several hard drives (solid state ormagnetic disk) in a Redundant Array of Independent Disks (RAID)configuration part of a Network Attached Storage (NAS) device to providedata redundancy and performance improvements over a single largecapacity memory device.

The bureau analyzer 310 is operable to organize the messages received bythe bureau receiver 330 to build the meta dataset 180 for how eachbiometric marker is being used for access control. When an individual120 seeks to be authorized and presents a biometric marker to bescanned, the biometric scanner 140 will transmit its scan to a localsystem 150 or a remote system 155 to approve or deny access for theindividual 120 to that system. In some aspects, the bureau 110 acts as aclearinghouse, such that any messages sent to a remote system 155 arepassed through the bureau 110; being received by the bureau receiver 330and being retransmitted by the bureau transmitter 340 to the remotesystem 155. In other aspects, such as when the system granting access isa local system 150, or when the bureau 110 does not act as aclearinghouse, separate messages are sent to the bureau 110 in additionto the transmission of the scan from the biometric scanner 140 to thesystem that uses the biometric marker for access control to inform thebureau 110 that the biometric marker is being used.

Additionally, the authenticators 130, independently of log in requests,may communicate with the bureau 110 to inform the bureau 110 ofdevelopments regarding the biometric datasets 160, such as, for example,a data breach that exposed biometric datasets 160 to identity thieves125 or other nefarious parties, a new device or user being authorized touse biometric markers to access the system, the deletion of a biometricdataset 160, changes in authentication requirements 175, requests for ahistory report on use of a biometric maker, requests for additionalavailable biometric datasets 160 that are used by other systems, etc.

When the bureau acts as a clearinghouse, the content of messages betweenlocal portions 135 a and remote portions 135 b may be ignored orexamined. In aspects where the content is ignored, the meta dataset 180may be built from an initial authentication dataset 170 from on-boardingand header information in subsequent communications. Header informationincludes data related to the location of the individual 120 whenpresenting the biometric marker, the time that the biometric marker ispresented, the device to which the biometric marker is presented, andthe system that the biometric marker is used to gain access to. Byignoring content and building the meta dataset 180 from headerinformation, the bureau 110 may avoid the need of decrypting messagesthat include encrypted content and assure users of the privacy of theircommunications. In aspects where the content is examined in addition tothe header information, however, the bureau analyzer 310 is furtheroperable to build the meta dataset 180 based on what actions theindividual 120 is taking with the system. As will be appreciated, whenthe contents of a message are encrypted, the bureau 110 may be given akey to decrypt (and, in some aspects, re-encrypt) the content so that itmay be analyzed. In various aspects, the keys may be exchanged at thetime of onboarding or at a later time (e.g., to replace an existing keyor to set up encryption at the later time) by a local system 150 or by aremote system 155.

The bureau analyzer 310 is operable to compare current usageinformation, from a currently received communication, to historic usageinformation in the meta dataset 180 to determine when a potential usedeviation has occurred. The bureau 110 uses various rules to determinewhether a use deviation has occurred, and these rules are configurableon a client-by-client basis, so that different systems may set differenteffects for detecting use deviation. Example rules include, but are notlimited to: whether multiple concurrent logins are allowed,permitted/denied locations of login (e.g., internet protocol (IP)address, business name, cell-tower derived coordinates, globalpositioning system (GPS) coordinates), time between logins at differentlocations, a number of communications within a given time period (e.g.,indicating multiple failed log ins), types of actions attempted whilelogged in (e.g., large transfers of money), and whether the devicestransmitting communications are previously known to the bureau 110.

The bureau analyzer 310 is further operable to generate reports andalerts on biometric marker usage when a use deviation is detected, or onrequest. When a request is received by the bureau receiver 330, thebureau analyzer 310 will compile a report on a given biometric markerand the access conditions surrounding the use of that biometric marker.For example, a user may request a report regarding a left iris pattern,and the bureau analyzer 310 will return a report, via the bureautransmitter 340, that indicates the devices that use the pattern of theleft iris for access control, frequency of use of the left iris to gainaccess, how the left iris is stored (e.g., encryption, file type, filesize), whether any use deviations have been detected in the past,whether data breaches have affected the biometric marker, etc.Similarly, when an alert for a use deviation is generated by the bureauanalyzer 310, it is transmitted to a user device (in some aspects adifferent user device than the one from which the use deviation isdetected on) by the bureau transmitter 340, and includes informationrelated to what triggered the determination to generate an alert. Forexample, an individual 120 who logs into a first device in city A willbe alerted when a biometric marker from that individual 120 is receivedfrom a second device located in city B, and will be alerted on the firstdevice that an attempted login was received from a second device in adifferent location.

In various aspects, an alert may be provided to the local portion 135 aof the authenticator 130. When an alert is transmitted to a localportion 135 a, the alert will indicate what triggered the alert to begenerated, for example, the metadata in an access attempt that differfrom the meta dataset 180. The local portion 135 a may respond to thealert by sending a command to the bureau 110 to accept or to reject themetadata as part of the meta dataset 180. For example, when the metadataindicate that the local portion 135 a is an unknown device, such as, forexample, a new cellphone, an alert may be sent and responded to,accepting the new device, and adding its identifier to the meta dataset180 so that a subsequent alert will not be generated when the new deviceis used again. In an alternate example, when the metadata indicate thatthe local portion 135 a is an unknown device, such as, for example, anattempt to log into the remote portion 135 b by an identity thief 125,an alert may be sent and responded to, rejecting the unknown device sothat the current and future attempts to log into the remote portion 135b will be rejected (or ignored) without additional alerts beinggenerated.

In other aspects, an alert may be provided to the remote portion 135 bof the authenticator 130. When an alert is transmitted to the remoteportion 135 b, the alert will indicated what triggered the alert to begenerated and optionally includes a logout command for any localportions 135 a associated with the individual 120 on the remote portion135 b. For example, the individual 120 may be logged into the remoteportion via a cellphone using a fingerprint 210 that an identity thief125 attempts to spoof on a desktop computer while the individual 120 islogged in. The bureau 110 will recognize two log in attempts using thesame biometric marker as a use deviation, and will transmit an alert tothe remote portion 135 b. A logout command may be transmitted by thebureau 110 to log out the individual 120, or the remote portion 135 bmay automatically log out the individual 120 and identity thief 125, ortransmit a request for secondary authentication before logging outeither party and blocking access until the secondary authentication isreceived. Because if the identity thief 125 in the above example hasspoofed the individual's device and biometric marker and the remoteportion 135 b may not know which party is the individual 120 and whichis the identity thief 125, all access granted for the particularbiometric marker will be terminated for the remote portion 135 b, andthe bureau 110 is operable to transmit the use deviation to other remoteportions 135 b so that the identity thief 125 cannot continue to use thebiometric marker to gain access to the other accounts of the individual120.

The use deviations and the access conditions surrounding the use of thebiometric markers (time, frequency, devices, location, file type, filesize, encryption, etc.) may also be transmitted in a report generated bythe bureau 110 to either the local portion 135 a or the remote portion135 b. In various aspects, the reports may be organized according to theindividual 120 (e.g., all biometric markers used by the individual), thedomain to which access is granted (e.g., all biometric markers used bythe remote portion 135 b for access control), the biometric marker ingeneral (e.g., all thumbprints for a given remote portion 135 b,thumbprints in across multiple remote portions 135 b), or the specificbiometric marker (e.g., a thumbprint for a particular individual 120 atone or more remote portions 135 b).

For example, an individual 120 may request a report from the bureau 110(in a paper or electronic format) to learn about how various systems andthe individual 120 are using or sharing the individual's biometricmarkers. The individual 120 may learn that a left thumbprint is used onsix systems for access control, a right thumbprint is used by onesystem, and a voiceprint is used by two systems. The individual 120 mayalso be presented with the frequency at which those biometric markersare presented for granting access, a success rate of presentation, andwhether any use violations have been detected that are associated withthose markers. This allows individuals 120 to see and verify the systemsthat use their biometric markers for access control. For example, anindividual 120 may see that a loan was applied for using a biometricmarker for identity confirmation in a country that the individual 120has never visited, so that the bank may be contacted for fraudprotection purposes. In another example, the individual 120 may be sentthe report without making a request when a data breach at a system hasexposed the individual's biometric marker, so that the individual 120may re-authenticate and provide a different biometric marker at thatsystem and any other systems that use the effected biometric marker toproactively prevent unauthorized access. The bureau 110 may also, withthe individual's consent or until the individual 120 overrides thebureau 110, notify systems in communication with the bureau 110 that agiven biometric marker has been affected by a data breach and thatadditional or alternative authentications should be used to grant accesswhen creating or accessing accounts or profiles. In various aspects, thebureau 110 will automatically transmit these reports to a registeredaddress or device when a use deviation or data breach occurs, or theindividual 120 or systems may request biometric marker usage reports ondemand.

FIG. 4 is a flow chart showing general stages involved in an examplemethod 400 for improving the security of systems that use biometricmarkers for access control. Method 400 begins at OPERATION 410, whereon-boarding information is received by the bureau 110 from anauthenticator 130. In various aspects, the on-boarding informationincludes the authentication dataset 170 for a given individual 120 andauthenticator 130, which includes metadata on how the individual 120 wason-boarded, how the individual 120 was authenticated for on-boarding,the identity of the individual 120, the identity of the system that theindividual 120 has been granted access to via the on-boarded biometricdataset 160, and information related to the biometric marker and thebiometric dataset 160.

Method 400 proceeds to OPERATION 420, where usage information and accessconditions are collected for the biometric marker, and the meta dataset180 for the biometric marker is built and kept up to date. The bureau110 tracks various aspects of the access conditions for the use ofbiometric markers and the systems that use the biometric markers foraccess control to build and update the meta dataset 180. In variousaspects, the collection of usage information to build/update the metadataset 180 may be passive or both passive and active. Passivecollection of usage information occurs when the bureau 110 monitorscommunications from a local portion 135 a of an authenticator 130 to theremote portion 135 b of the authenticator 130 (or vice versa). Activecollection of usage information occurs when the bureau 110 requestsspecific information from an authenticator 130 to which theauthenticator 130 responds, or when an authenticator 130 transmitsinformation (unprompted) to the bureau 110. For example, the bureau 110may passively collect information regarding a time of login and theremote systems 155 to which the individual 120 is requesting access,actively request a time of login and the local systems 150 to which theindividual 120 is requesting access, and actively receive a notice of adata breach from a remote system 155.

At DECISION 430 it is determined whether a use deviation for thebiometric marker is detected. Use deviations are determined by thebureau 110 by comparing current usage information to historic usageinformation. In various aspects, multiple concurrent logins, newlocation of login (e.g., internet protocol (IP) address, business name,cell-tower derived coordinates, global positioning system (GPS)coordinates), unusual time of login (e.g., at 4 am for the typical timezone for the individual 120), multiple failed attempts at login, actionsattempted while logged in (e.g., large transfers of money), and unknowndevices attempting login may be treated as a basis for a use deviation,although other bases may be defined as potential use deviations andseveral bases may be combined when defining a use deviation.

For example, logins from two different locations that use biometricdatasets 160 for the same individual 120 may be deemed a use deviationif the logins occur within a set period of time. For example, if thebureau 110 notes that an individual 120 logs in to a system from SanFrancisco at noon and logs in to a system from New York thirty minuteslater, it will be determined that a use deviation has occurred.Conversely, if the bureau 110 notes than an individual 120 logs into asystem from San Francisco on Monday and logs into a system from New Yorkon Tuesday, it may be determined that no use deviation has occurred, asenough time has passed for the individual 120 to have relocated from onelocation to the other (a use deviation may still have occurred, albeitbased on other reasons).

When it is determined that a use violation has occurred in DECISION 430,method 400 proceeds to OPERATION 440. Otherwise, method 400 returns toOPERATION 420, where additional usage information is collected andfurther checks of use deviation are made.

At OPERATION 440 an alert is transmitted. In various aspects, the alertmay be transmitted to the device from which access was sought, a devicethat has previously been granted access, or a remote system 155 to whichaccess is being sought when a use deviation has been determined to haveoccurred. For example, when attempts to access a remote system 155 of anonline bank are determined to be a use deviation (e.g., the attempts arefrom an unknown location, are simultaneous with another device, etc.),the alert may be transmitted to both the bank and to a device known tobe associated with the account owner. In another example, when a remotesystem 155 of a store (e.g., a general store, a grocery store, an onlinestore) learns of a data breach that may have included biometric datasets160 and communicates this to the bureau 110, the bureau 110 may transmitan alert to devices associated with individuals 120 who provided thebiometric datasets 160 and any other remote systems which use thosebiometric datasets 160 so that countermeasures may be taken to preventan identity thief 125 from impersonating an individual 120 with thebiometric dataset 160. The alert may be transmitted via the network asan email message, a text message (e.g., via the short message service(SMS), multimedia message service (MMS), or a proprietary standard), afunction call to an application used by a local portion 135 a to accessa remote portion 135 b (e.g., an email client, a proprietary “app,” aRich Site Summary (RSS) feed), or a telephone call.

Access to systems that used the biometric markers as access control isterminated at OPTIONAL OPERATION 450 as a potential countermeasure toidentity thieves 125 when a use deviation is detected. Access may beterminated on either the user-side or the provider-side of a system. Forexample, the bureau 110 may contact a local system 150 to log out of amaster system (e.g., an operating system) and/or any subsystems on adevice which was part of a use deviation. The bureau 110 may alsocontact a remote system 155, involved or uninvolved in a use deviation,to log the individual 120 out of its systems or require additionalsecurity measures when the individual 120 next tries to gain access. Forexample, when a use deviation is detected from a cellphone trying toaccess an email account remotely, the bureau 110 may contact the emailservice provider to alert it of the use deviation, but may also contactan online bank associated with the individual 120 to alert it of the usedeviation, so that the online bank may request additional verificationsteps when some attempts to log in to the account for the individual120. In various aspects, the alert sent by the bureau 110 also includesa logout command so that any open sessions for which access has beengranted are closed.

In various aspects, when access is terminated to a master system, suchas, for example, an operating system, access will also be terminated toany subsystems, such as, for example, an email client or online bankingapplication being run by the operating system. The subsystems to whichaccess is terminated may use the same biometric datasets 160 for which ause deviation was detected, or may use other datasets for access control(e.g., a different biometric dataset for the same or a differentbiometric marker, a username/password pair, a pattern).

At OPTIONAL OPERATION 460 the bureau 110 may transmit a request foralternate authentication from the individual 120 as a potentialcountermeasure to identity thieves 125 when a use deviation is detected.In various aspects, alternate authentication includes, but is notlimited to: a different biometric marker (e.g., instead of a firstfingerprint 210 a: a second fingerprint 210 b, a blood vessel geometry220, an iris pattern 230, a vocal pattern 240, etc.), a password, a PIN,a security pattern, answers to a security question, a CAPTCHA(Completely Automated Public Turing test to tell Computers and HumansApart) or other Turing test, or a confirmation communication (e.g., amultifactor authentication step such as phone call, a text message, oran email). Additionally, the request for alternate authentication may besent to the device from which the use deviation was detected or asecondary device associated with the individual 120 (e.g., when the usedeviation or an individual 120 is detected from a desktop computer, thedesktop computer or a cellphone associated with the individual 120 mayreceive the request). When an individual 120 fails to provide a correctalternate authentication, access to the system will be terminated.Alternatively, when the individual provides a correct alternateauthentication, access to the system will be re-granted (or maintainedif the access had not yet been terminated). As will be appreciated, aresponse window may be set so that if the individual does not respond tothe request for alternate authentication within a given time period, thelack of response will be treated as an improper response or aconfirmation that a use deviation occurred. Similarly, when aconfirmation communication is responded to, the contacted individual 120may agree that a use deviation has occurred or disagree that a usedeviation has occurred, and access may be terminated, re-granted, ormaintained as appropriate.

In various aspects, OPTIONAL OPERATION 460 may be performed inconjunction with, or instead of OPTIONAL OPERATION 450 and may beperformed before, after, or simultaneously with OPTIONAL OPERATION 450.For example, an individual may be prompted for alternativeauthentication before access is terminated, and access will only beterminated if improper alternative authentication or no authenticationis received within a time window, at which time method 400 concludes,otherwise method 400 returns to OPERATION 420 when acceptableauthentication is received. In aspects where access is terminated beforeprompting for alternate authentication, after the individual hasprovided an acceptable alternate authentication in OPTIONAL OPERATION460, the individual 120 will be re-granted access to the system to whichaccess was terminated in OPTIONAL OPERATION 460, and method 400 returnsto OPERATION 420. If the individual 120 does not provide an acceptablealternative authentication, or agrees that a use deviation has occurred,or method 400 does not perform OPTIONAL OPERATION 460, method 400 thenconcludes.

FIG. 5 is a flow chart showing general stages involved in an examplemethod 500 for improving the efficiency and speed of on-boarding forsystems that use a biometric marker for access control.

Method 500 begins at OPERATION 510, where an on-boarding request isreceived. An on-boarding request is made when an individual 120 attemptsto set up a new account that uses a biometric marker as an accesscontrol or attempts to add (or replace) a biometric marker as an accesscontrol to an existing account. For example, as a security measure, asystem may request a new biometric marker to be used if the bureau 110has alerted the system that the biometric dataset 160 for a previousbiometric marker has been compromised (e.g., a security breach hasoccurred, multiple use deviations have occurred) In various aspects, theonboarding request may originate from a local system 150 or a remotesystem 155, or the bureau 110 on behalf of another system. In anotherexample, an office, such for example, a bank or a Department of MotorVehicles, may wish to identify an individual 120 without relying onidentification papers (e.g., passport, driver's license, birthcertificate), and will need to retrieve an already on-boarded biometricdataset 160 from a trusted third party to compare to the biometricmarkers of the individual 120. Identifying individuals withoutidentification papers may be particularly useful in industries that dealwith non-human individuals (e.g., animal shelters, kennels, veterinarianoffices), disaster relief when identification papers may be unavailable,and the identification of individuals who otherwise lack the capacity torespond to requests for identification papers (e.g., babies, thementally disabled, the dead).

At OPERATION 520 the bureau 110 determines a preferred biometric markerto use as the access control for the system for which the individual 120is on-boarding. In various aspects, the preferences may be those of theindividual 120, those of the system that the individual is onboardingto, or a combination of the two. For example, a remote system 155, forwhich the individual 120 is setting up a new account, may prefermultifactor authentication of both a username/password pair and a scanof a fingerprint 210. Continuing the example, the individual 120 (or thebureau 110 on behalf of the individual 120) may prefer to use a secondfingerprint 210 b instead of a first fingerprint 210 a when using afingerprint scanner, due to a prior data breach that exposed a biometricdataset 160 for the first fingerprint 210 a.

The preferences may set a number of biometric markers to use indifferent circumstances, so that, for example, access to an email serveror local device may use one biometric marker, but access to an onlinebank's remote system 155 uses multiple biometric markers (e.g., afingerprint 210 and a vocal pattern 240). The preferences for subsystemsmay also set that the same biometric marker may or may not be used as amaster system. For example, when an individual gains access to a mastersystem of a smartphone's operating system via a first fingerprint 210 a,a subsystem of an online banking application on that smartphone may havepreferences as to whether the first fingerprint 210 a can also be usedas a biometric marker to gain access to the remote system 155 of theonline bank. Continuing the example, the preferences may allow theindividual 120 to re-present the first fingerprint 210 a, to enable theapplication to use the biometric dataset 160 from login to thesmartphone to automatically log in to the remote system 155, or mayrequire that the individual present a different biometric marker thanused to log in to the master system or a different subsystem (e.g., anemail client).

In various aspects, the preferences also include the authenticationrequirements 175 of a remote portion 135 b of an authenticator 130. Theauthentication requirements 175 set what details and format a biometricdataset 160 must have so that a device is allowed or disallowed as alocal portion 135 a to the authenticator. Depending on theauthentication requirements 175 and the capabilities of variouscomponents of a local device that are usable as biometric scanners(e.g., a camera, a microphone, a touch screen), the preferences mayselect one biometric marker over another. For example, when anindividual 120 is attempting to use a smartphone as a local portion 135a when logging in to a remote system 155, the authenticationrequirements 175 may change the remote system's initial preference of afingerprint 210 to a preference for a vocal pattern 240 due to the lowresolutions of the smartphone's camera and touchscreen (or higherfidelity of the smartphone's microphone).

Method 500 then proceeds to OPERATION 530, where a request for thepreferred biometric marker is transmitted. In various aspects, therequest is transmitted to a local portion 135 a of an authenticator 130to prompt an individual 120 to submit a biometric marker to a biometricscanner 140 so that an initial biometric dataset 160 can be collected toonboard the individual 120 or a new biometric dataset 160 is collectedto replace a prior biometric dataset 160. In other aspects, a request issent to a trusted third system to share a biometric dataset 160 forwhich the individual 120 is already on-boarded. For example, when a bankis remotely onboarding an individual 120 for access to its remotesystems 155, it may not trust that the person seeking access is actuallythe individual 120, and instead will contact the bureau 110 to locate athird party (e.g., an employer, another bank, a government agency) whocan provide the biometric dataset 160 for which the bank's remotesystems 155 will request the (alleged) individual 120 to present thebiometric marker for. By using a trusted third party, a remote system155 may rely on an authentication for a previous onboarding as its ownauthentication of the individual for onboarding at its systems. Inanother example, when the individual 120 lacks identification documents,an office may consult the bureau 110 to locate another system that had acopy of a biometric dataset 160 that the individual 120 may be comparedagainst at the office. Method 500 then concludes.

FIG. 6 is a block diagram illustrating physical components of an examplecomputing device with which aspects may be practiced. The computingdevice 600 may include at least one processing unit 602 and a systemmemory 604. The system memory 604 may comprise, but is not limited to,volatile (e.g. random access memory (RAM)), non-volatile (e.g. read-onlymemory (ROM)), flash memory, or any combination thereof. System memory604 may include operating system 606, one or more program instructions608, and may include sufficient computer-executable instructions for abureau 110, which when executed, perform functionalities as describedherein. Operating system 606, for example, may be suitable forcontrolling the operation of computing device 600. Furthermore, aspectsmay be practiced in conjunction with a graphics library, other operatingsystems, or any other application program and is not limited to anyparticular application or system. This basic configuration isillustrated by those components within a dashed line 610. Computingdevice 600 may also include one or more input device(s) 612 (keyboard,mouse, pen, touch input device, etc.) and one or more output device(s)614 (e.g., display, speakers, a printer, etc.).

The computing device 600 may also include additional data storagedevices (removable or non-removable) such as, for example, magneticdisks, optical disks, or tape. Such additional storage is illustrated bya removable storage 616 and a non-removable storage 618. Computingdevice 600 may also contain a communication connection 620 that mayallow computing device 600 to communicate with other computing devices622, such as over a network in a distributed computing environment, forexample, an intranet or the Internet. Communication connection 620 isone example of a communication medium, via which computer-readabletransmission media (i.e., signals) may be propagated.

Programming modules, may include routines, programs, components, datastructures, and other types of structures that may perform particulartasks or that may implement particular abstract data types. Moreover,aspects may be practiced with other computer system configurations,including hand-held devices, multiprocessor systems,microprocessor-based or programmable user electronics, minicomputers,mainframe computers, and the like. Aspects may also be practiced indistributed computing environments where tasks are performed by remoteprocessing devices that are linked through a communications network. Ina distributed computing environment, programming modules may be locatedin both local and remote memory storage devices.

Furthermore, aspects may be practiced in an electrical circuitcomprising discrete electronic elements, packaged or integratedelectronic chips containing logic gates, a circuit using amicroprocessor, or on a single chip containing electronic elements ormicroprocessors (e.g., a system-on-a-chip (SoC)). Aspects may also bepracticed using other technologies capable of performing logicaloperations such as, for example, AND, OR, and NOT, including, but notlimited to, mechanical, optical, fluidic, and quantum technologies. Inaddition, aspects may be practiced within a general purpose computer orin any other circuits or systems.

Aspects may be implemented as a computer process (method), a computingsystem, or as an article of manufacture, such as a computer programproduct or computer-readable storage medium. The computer programproduct may be a computer storage medium readable by a computer systemand encoding a computer program of instructions for executing a computerprocess. Accordingly, hardware or software (including firmware, residentsoftware, micro-code, etc.) may provide aspects discussed herein.Aspects may take the form of a computer program product on acomputer-usable or computer-readable storage medium havingcomputer-usable or computer-readable program code embodied in the mediumfor use by, or in connection with, an instruction execution system.

Although aspects have been described as being associated with datastored in memory and other storage mediums, data can also be stored onor read from other types of computer-readable media, such as secondarystorage devices, like hard disks, floppy disks, or a CD-ROM, or otherforms of RAM or ROM. The term computer-readable storage medium refersonly to devices and articles of manufacture that store data orcomputer-executable instructions readable by a computing device. Theterm computer-readable storage media do not include computer-readabletransmission media.

Aspects of the present invention may be used in various distributedcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network.

Aspects of the invention may be implemented via local and remotecomputing and data storage systems. Such memory storage and processingunits may be implemented in a computing device. Any suitable combinationof hardware, software, or firmware may be used to implement the memorystorage and processing unit. For example, the memory storage andprocessing unit may be implemented with computing device 600 or anyother computing devices 622, in combination with computing device 600,wherein functionality may be brought together over a network in adistributed computing environment, for example, an intranet or theInternet, to perform the functions as described herein. The systems,devices, and processors described herein are provided as examples;however, other systems, devices, and processors may comprise theaforementioned memory storage and processing unit, consistent with thedescribed aspects.

The description and illustration of one or more aspects provided in thisapplication are intended to provide a thorough and complete disclosurethe full scope of the subject matter to those skilled in the art and arenot intended to limit or restrict the scope of the invention as claimedin any way. The aspects, examples, and details provided in thisapplication are considered sufficient to convey possession and enablethose skilled in the art to practice the best mode of the claimedinvention. Descriptions of structures, resources, operations, and actsconsidered well-known to those skilled in the art may be brief oromitted to avoid obscuring lesser known or unique aspects of the subjectmatter of this application. The claimed invention should not beconstrued as being limited to any embodiment, aspects, example, ordetail provided in this application unless expressly stated herein.Regardless of whether shown or described collectively or separately, thevarious features (both structural and methodological) are intended to beselectively included or omitted to produce an embodiment with aparticular set of features. Further, any or all of the functions andacts shown or described may be performed in any order or concurrently.Having been provided with the description and illustration of thepresent application, one skilled in the art may envision variations,modifications, and alternate embodiments falling within the spirit ofthe broader aspects of the general inventive concept provided in thisapplication that do not depart from the broader scope of the presentdisclosure.

We claim:
 1. A system for improving speed, efficiency, and security ofauthenticators that use biometric markers for access control,comprising: a processor; and a memory device including instructions,which when executed by the processor are operable to provide: a bureau,located remotely from the authenticators, for collecting metadata on thebiometric markers being used for access control and managing use of thebiometric markers, wherein the bureau further comprises: a bureaureceiver, in communication with the authenticators, operable to receivecommunications from the authenticators regarding access conditions forusing the biometric markers for access control; a bureau database,operable to store a meta dataset including information regarding theaccess conditions for using the biometric markers for access control; abureau analyzer operable to extract the metadata from the communicationsto build the meta dataset, and further operable to determine whether agiven communication indicates a use deviation when compared to the metadataset; and a bureau transmitter, in communication with theauthenticators and the bureau analyzer, operable to transmit an alert tothe authenticators when the use deviation is detected.
 2. The system ofclaim 1, wherein the bureau is further operable to generate reportsregarding the access conditions for using the biometric markers, whereinthe reports specify an organization scheme chosen from: organized by anindividual; organized by a domain to which access is granted; organizedby a general biometric marker in general for the domain; and organizedby a specific biometric marker from the individual.
 3. The system ofclaim 1, wherein the alert requests a different biometric marker from anindividual than the biometric markers involved in the use deviation. 4.The system of claim 1, wherein the meta data set is built from aninitial on-boarding of the biometric markers for granting accesscontrol.
 5. The system of claim 1, wherein the meta dataset is extractedfrom header information in the communications.
 6. The system of claim 1,wherein the authenticator comprises a local portion, from which thebureau receives datasets for the biometric markers, and a remoteportion, to which the datasets for the biometric markers grant access.7. The system of claim 6, wherein the bureau acts as a clearing house,forwarding messages between the local portion and the remote portion. 8.The system of claim 6, wherein authentication requirements for theremote portion are transmitted by the bureau to the local portion toenable the local portion to transmit the datasets for the biometricmarkers in formats acceptable to the remote portion.
 9. A method forimproving speed, efficiency, and security of authenticators that usebiometric markers for access control, comprising: receiving on-boardinginformation at a bureau, including a biometric dataset for a biometricmarker of an individual, and an authentication dataset, specifying howthe individual was identified for on-boarding; collecting, at thebureau, current usage information of the biometric dataset in relationto a remote system to build a meta dataset, wherein the meta datasetcomprises historic usage information related to access conditionssurrounding usage of the biometric marker; determining, based oncomparing the current usage information to the historic usageinformation, whether the current usage information indicates a deviationin use of the remote system for the individual; when it is determinedthat the current usage information indicates use deviation, transmittingan alert of the deviation; and when it is determined that the currentusage information does not indicate use deviation, continue collectingusage information.
 10. The method of claim 9, wherein the alert istransmitted to the individual.
 11. The method of claim 10, wherein, thealert include a request for an alternate authentication from theindividual.
 12. The method of claim 11, wherein the alternateauthentication from the individual is chosen from: a password; apersonal identification number; a pattern; a security question andresponse pair; and a different biometric marker.
 13. The method of claim9, wherein the alert is transmitted to all remote systems known to thebureau to use the biometric marker involved in the deviation in use ofthe biometric marker.
 14. The method of claim 9, wherein the deviationin use is a data breach of the remote system.
 15. The method of claim 9,wherein the remote system includes authentication requirements,specifying the access conditions required by the remote system to acceptthe biometric dataset to grant access to the remote system, which aretransmitted to the individual by the bureau to ensure that theauthentication dataset meets the authentication requirements.
 16. Themethod of claim 9, further comprising: providing, from the bureau to theindividual, a list of remote systems that use a given biometric dataset.17. A system for improving speed, efficiency, and security ofauthenticators that use biometric markers for access control,comprising: a remote portion of an authenticator, including a remotesystem to which access is granted via a biometric dataset; a localportion of the authenticator, including a biometric scanner operable toscan the biometric markers to produce the biometric dataset, wherein thelocal portion is in communication with the remote portion via a networkto request access to the remote system; and a bureau disposed of betweenthe local portion and the remote portion, wherein the bureau is operableto monitor communications between the local portion and the remoteportion over the network to collect a meta dataset on access conditionsfor how the biometric dataset is used, wherein the meta dataset includesinformation on a location where the local portion is located when accessto the remote system is requested, a time when the access to the remotesystem is requested, and how the biometric dataset was on-boarded andassociated with an individual for the remote system; wherein the bureauis further operable to determine from the communications between thelocal portion and the remote portion that a use deviation has occurredwhen the communications include metadata that do not match theinformation stored in the meta dataset and the generates an alert inresponse to the use deviation.
 18. The system of claim 17, wherein thealert is transmitted by the bureau to the local portion of theauthenticator and indicates the metadata that did not match theinformation stored in the meta dataset.
 19. The system of claim 18,wherein the bureau is operable to receive from the local portion acommand to accept the use deviation as acceptable, wherein the metadatathat did not match the information stored in the meta dataset is addedto the meta dataset.
 20. The system of claim 17, wherein the alert istransmitted by the bureau to the remote portion of the authenticatorwith a command to terminate an access granted to the remote portion by abiometric marker in response to the use deviation.